How to configure ASM for an application using REST?

Hello here are some hints to start with : - with automatic policy building, you have an option in advanced setting called "collapse to one entity" which will help you to aggregate multiple urls entities if they have same characteristics.

REST means nothing on a protocol validation point of view, what you could use are profiles allowing to validate content inside formats like json or xml used by your webservices. you can either create and attach your content profile to urls, or while doing the automatic policy creation, check the option "JSON/XML payload detection" in the wizard's third tab.

White listing using regex worth nothing on an administration point of view that's why we propose either to learn everything automatically (thus you are exhaustive) or with simplified regex like.

Thanks for your quick reply.

Indeed, the collapse option is interesting, I did not notice it so far (noob ;). From a quick test I did, it seems not to work however. I reduced the occurences number to 10 (default of 500 is quite high) and browsed the application to learn brand new URLs, I have now several new REST URLs appearing 60x or more often, but they only differ by the number the URLs end with. I'll investigate on that part.

The number part of the REST URLs is an ID so I would consider it being an unnamed parameter in the URL. But maybe I should just trust the application to handle it correctly. Regex side I only thought about something quite simple like [0-9]+ to look for numbers.